Support use of IAM roles on EC2 instance to avoid passing credentials

[boutell]

The key and secret are currently hard requirements, but AWS also supports configuring an EC2 instance to be trusted automatically. Here's how it is done with the official AWS SDK for node:

http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/node-configuring.html

It would be helpful to have this feature in knox as well.

[dancet]

I'd love to see this also.

[makered]

yes please!

[russel1237]

👍

[markstos]

+1

[domenic]

Pull requests welcome, +1s discouraged.

[boutell]

It would be very helpful to have a response to this question before investing too much coding time at this point:

#263

[boutell]

(I don't mean to be obnoxious. I greatly appreciate knox and the value I've received from it.)

[garrettheel]

+1

[tonymet]

I created a wrapper knox-ec2-role to fetch the creds & secure token from EC2 metadata. You can use your existing knox code just call the authenticate method beforehand.

e.g.

knoxec2.authenticate({bucket: 'my-bucket'}, {timeout: 5000})
  .then(function(client){
    var object = { foo: "bar" };
    var string = JSON.stringify(object);
    var req = client.put('/test/obj.json', {
        'Content-Length': Buffer.byteLength(string)
      , 'Content-Type': 'application/json'
    });
    req.on('response', function(res){
      if (200 == res.statusCode) {
        console.log('saved to %s', req.url);
      }
    });
    req.end(string);
  })

[markstos]

@tonymet Thanks! Maybe the knox developers can merge a version of your code.

[markstos]

@mattbriancon Good tip. This seems worth adding to the Knox documentation. Knox users may also be interested to now about the resolvePromise() method which provides a Promise-based API as an alternative to the callback API: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#resolvePromise-property

[mattbriancon]

@markstos removed my post because I spoke too soon 🤐. The credentials were accepted but I was fooled by a different request to S3. The access keys only work with an accompanying session token but knox won't accept it anymore. Switching everything over to use the aws-sdk.

[markstos]

@mattbriancon From reviewing my own package.json, it looks we switched from Knox to aws-sdk some time ago as well. I'm going to unsubscribe from this thread.

[boutell]

Unsubscribed as well, uploadfs switched to the aws-sdk a while back. Others seem interested though so I won't close the ticket.

[markstos]

Oh Hello, @boutell I was a Wusage customer (via Summersault) years ago. I'm surprised it's missing from the list of things you are known for: https://punkave.com/about/tom-boutell 😉 Our hosting accounts often used for disk space for Wusage stats then the actual content, but we loved the graphs.

[boutell]

Thanks for the blast from the past (:

As to those wondering what to do after knox, for what it's worth the AWS SDK has been trouble-free in uploadfs. Which is itself worth looking at if it covers your use case, since it also has drivers for local file storage and azure built in.